Perhaps the most important rights you
have with regard to your medical information are the ability to access your own
records, to amend them, and to receive an accounting of who else has accessed
them. For the time being, the original federal HIPAA regulations govern these
rights, but they will soon be updated by new regulations based on changes made
in the 2009 Health
Information Technology for Economic and Clinical Health Act[3]
(HITECH Act). This Fact Sheet describes
both the current rules and the anticipated changes. It also discusses the California laws that
give you certain rights concerning your medical information.

a. You have the right to access
your own medical records.

California law
grants individuals broad general access to their medical records: “The
Legislature finds and declares that every person having ultimate responsibility
for decisions respecting his or her own health care also possesses a
concomitant right of access to complete information respecting his or her
condition and care provided.” (Cal. Health & Safety Code §123100) In
California you may inspect your medical records within five business days of
making a request, and receive copies within 15 business days. The maximum
charge for copies is $.25 cents/page or $.50 cents/page if the copies are from
microfilm. (Cal. Health & Safety Code §123110)

HIPAA also
requires covered entities to provide you with a copy of your medical records
(with some exceptions, such as psychotherapy notes) in whatever format you
request, within 30 to 60 days of requesting them, for a “reasonable” copying
charge, plus postage. Your request may be denied, but you can appeal the
denial. (45 CFR § 164.524) Despite the regulation, one of the top five HIPAA
complaints[4]
to the Department of Health and Human Services (HHS) concerns the difficulty in
obtaining copies of medical records.

The HITECH rule changes should
reinforce individuals' rights to receive copies of their medical records in the
form they request, and extend that right to records kept on paper, as well as
electronically.

If, after you request and review your medical
records, you find they contain information about treatments or tests that you
believe is incorrect or may not belong to you, HIPAA gives you the right to
request an amendment to your records. (45 CFR § 164.526)

California’s Patient Access to Health Records
Act (PAHRA) also gives you a right to amend your medical record, and clarifies
the procedure for doing it. (Cal. Health & Safety Code §§123100-123149.5) You
may submit a written amendment of up to 250 words regarding any item or
statement in your records that you believe is incomplete or incorrect, and you
may ask to have the amendment included in your record and be disclosed to any
third party (such as another doctor or an insurer) that requests your record.
The record holder does not have to remove the contested information but adds
your amendment and the reason why it is being made.

The Information Protection Act (IPA) gives
you the right to amend any personal information (including medical information)
held by state agencies. (Cal. Civ. Code §§1798-1798.78) After it receives your request, the state agency
has 30 days to either make the correction or deny the request and inform you of
your right to a review of that decision. To learn more about your rights under
the IPA, including how to request to inspect or amend your records, see the
California Department of Health and Human Services (DHHS) publication, “Rights
of Individuals Under the Information Practices Act.”[6]

c. You may request restrictions
on disclosure of your medical information.

Under HIPAA, you
have at best a nominal right to restrict disclosure of your medical
information. In other words, you can ask, but a covered entity has no
obligation to comply with your request. (45 CFR § 164.522)

If approved, proposed
changes to the regulation will give you the right to restrict disclosure of
medical information for the purpose of payment or health care operations
(unless disclosure is required by law) if
the information relates solely to an item or service that you pay for yourself.
Note that the proposed changes apply to payment or health care operations, and
not to disclosures for treatment purposes.
Several key aspects of this regulation are still undecided. Questions remain
about how difficult the regulation may be to administer; whether the covered
entity that has the record must inform other providers of your request; and
which disclosures are “required by law.”

A provider or health plan must also
accommodate a reasonable request concerning how you wish to receive
confidential communications about your medical information. That is, that you
wish to receive them at a certain address or phone number, or by a specific
means, such as U.S. mail, email, or text. You may have to make the request in
writing and include alternative choices, and agree to pay any unusual costs, such
as courier service charges. (45 CFR § 164.522)

California
law is silent on a general right to request restrictions on disclosures of your
medical information. But in the case of sensitive information such as mental
health records, HIV test results, and substance abuse treatment, you may
withhold consent to disclosure if no exception applies. For example, results of
an HIV test may be disclosed without your consent to your health care providers
for the purposes of diagnosis, care, and treatment. (Cal. Health & Safety
Code § 120985)

Another exception imposes a duty on mental health professionals
to warn potential victims of a danger posed by a violent patient. (Tarasoff
v. Regents of the University of California, 17 Cal.
3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 (Cal. 1976). Permission to disclose such information,
although not the duty to do so, is
codified in Cal. Civ. Code §56.10(c)(19).)

d. You have the right to know who
has requested and received copies of your medical information.

California law does not address the
right to request information about who has requested and received copies of
your medical information—known as an accounting of disclosures. Instead, the
HIPAA regulations allow for an accounting that goes back for a period of six
years prior to the date of your request. However, the right is virtually
meaningless since it excludes disclosures for treatment, payment, and health
care operations—essentially the only reasons your information would be
disclosed. (45 CFR §164.528)

The HITECH Act will remedy the omission
of treatment, payment, and health care operations from disclosures that must be
accounted for, but it’s not yet clear what the new rule will be. In addition, the
issue is contentious enough that this rule will be delayed even longer than the
rest of the new rules. It’s expected to shorten the accounting period to three
years for all accountings and to contain a list of specific disclosures that require
an accounting.

3. What are your rights in the event that your
medical information is breached?

In 2002, California passed the first
security breach notification law in the U.S. In 2008, the law was extended to
cover medical records. (Cal. Civ. Code
§§ 1798.82 and 1798.29) The HIPAA
regulations were silent on breach notification, so prior to the passage of the
HITECH Act, California law applied. Interim final breach notification
regulations are now in effect (with final regulations expected during 2012), and have more or less caught up with California. Where California
law remains stricter is noted below.

A breach is defined as unauthorized
access to unencrypted or unsecured information.
California law and HIPAA give you certain rights if your identifiable
medical information is breached:

Any covered entity that handles
unsecured protected health information must notify you of a breach of that
information.

If a business associate of a
covered entity has a data breach, it must notify the covered entity, which must
in turn notify you.

The covered entity must tell you
whether your medical information has been disclosed to outside third parties or
unauthorized insiders with access.

HITECH also applies breach notification
requirements to “other non-covered entities,” such as those offering products
and services on a PHR vendor’s website. An example might be an online diabetes
or other disease management service available to PHR account holders through
the main PHR website. Such services often require consent to share personal
medical information.

Under HIPAA, a covered entity
must notify you of a breach without unreasonable delay, but no more than 60
days after the breach is discovered or the covered entity should have known
about it.

California law is far stricter:
clinics, health facilities, home health agencies, and hospices have only five
business days after discovering a breach of medical information to report it to
all affected patients. (Cal. Health
& Safety Code §1280.15(b)(2))

California requires detailed
breach notices. The notice must include
a general description of the incident, type of information breached, date and
time of the breach, and toll-free telephone numbers and addresses of the major
credit reporting agencies in California.
In addition, the covered entity must send an electronic copy of the
notice to the Attorney General if a single breach affects more than 500
Californians.

Federal
regulations require breaches that affect 500 or more people living in the same
immediate area to be reported to "prominent local media" and to the
Department of Health and Human Services.
HHS maintains a current list[8]
of these breaches.

Under California law, individuals
have the right to sue either the entity or the person responsible for a breach
of medical information. However, proof
of actual monetary damage is required.
(Cal. Civ. Code. § 1782(b)) An example of monetary damage could be that
as a result of stress or humiliation resulting from the exposure of your
information, you needed medical or psychological treatment or medication.

Under both
California law and HIPAA, an attorney general may also bring a lawsuit over a
data breach. Even without personal
damages, a court may impose civil damages of up to $1000 on a health care
provider for each individual whose information was breached, based only on
proof that a breach occurred. (Cal. Civ. Code § 56.36)

4. What are your rights regarding the sale of
your medical information?

Personal health information is a
valuable commodity. Many businesses are interested in collecting it to profile
consumers for targeted marketing, and because of its worth, covered entities
may also be motivated to sell personal health information.

California law is vague on the
circumstances under which medical information may be sold. It prohibits covered entities from
intentional unauthorized sales of medical information "for a purpose not
necessary to provide health care services to the patient." (Cal. Civ. Code
§ 56.10(d) However, there is no guidance as to what "necessary" and
"health care services" mean in this context. It is up to the covered entity to interpret, and
this seems to leave the door open for sales.

Proposed changes to HIPAA require your
authorization before a covered entity may receive any direct or indirect
payment for your medical information.
But, as always, there are exceptions.
Under the current rule they include:

permitted public health
activities;

certain kinds of research, but
the price of the information must reflect the actual costs of preparing and
transmitting the data (in other words, it cannot be sold for profit);

your treatment as a patient—a
potentially vast exception that needs further regulation, for example, what
constitutes “treatment” and is there any limit to the products or services that
are necessary for treatment;

when a covered entity that has
your medical information is sold, transferred, merged, or consolidated with
another covered entity;

when a covered entity pays a
business associate for activities that the business associate conducts on its
behalf—for example the business associate is a billing service that bills you
on behalf of a health care provider; and

what a covered entity charges for
providing you with a copy of your medical information.

The new rules on the sale of your
medical information will likely add exceptions for cost-based payments that
cover the expense of preparing and transmitting the information for disclosures
required by law or for any other permitted purpose.

Ideally, the final regulations will
create a strong prohibition on actual sales of medical information while
permitting reasonable payments for legitimate uses, including public health and
research, patient care, and data collection for quality improvement
purposes. One regulatory shortcoming is
already clear: there is nothing in the rules about auditing sales of medical
information, nor is there any kind of enforcement or penalties for violations.

Selling your information for marketing purposes
can be a factor in a covered entity's economic well-being. There is a great demand from health care
products and services marketers for information that lets them target people as
individually as possible. In the context
of health care, this might mean targeting people by a disease or condition they
may have.

California has somewhat stronger and
less muddled protections than the federal HIPAA regulations. In California, a covered entity needs your written
authorization to use medical information for marketing purposes, and must give
you clear notice of how the information will be used and shared. (Cal. Civ. Code § 1798.91) Covered entities are generally prohibited
from disclosing medical information for unauthorized marketing communications
paid for by third parties. An example of this could be prescription-refill
reminders when a pharmaceutical company pays your pharmacy to send them.

when the communication is not
compensated either monetarily or with other economic benefits such as gifts;

when the communication is made to
health plan members about plan benefits or services, or about the availability
of more cost-effective prescription drugs;

when a communication is specifically
tailored to an individual to advise or educate about treatment options. If the communicator receives any form of
payment, it must clearly disclose this to the individual in the communication. In addition, the communicator must notify of
the source of the payment, and it must give the individual the ability to opt
out of future communications.(Cal. Civ.
Code §§ 56.05(f), 56.10)

When you think about the personal
information a marketer needs to tailor a message specifically to you, the last
exception is troubling, even though you must be told of your right to opt out.

Just as California law struggles to
balance individual privacy and control of medical information against the need
for valid communication with patients, the HIPAA regulations try to maintain a
similar equilibrium. HIPAA defines a marketing communication as "a message
about a product or service that encourages you to buy or use" it. 45 CFR § 164.501. As with California law, prior written
authorization is required.

However, the exceptions in HIPAA are
broader than under California law. They do
not consider the following to be "marketing" and therefore allow
unauthorized paid communications for: 1) a covered entity pitching its own
health care products or services; 2) treatment purposes; and 3) case management
or care coordination, or to recommend alternative treatments, therapies, health
care providers, or settings of care. (45
CFR §164.501)

The reasoning behind the above HIPAA
exceptions is that they are treatment or health care operations. However, terms
like "treatment", "case management", and "care coordination"
lack clear definitions. This means you may receive unauthorized communications
that look like marketing to you but fit into one of the exceptions.

Also, while HIPAA does
not allow covered entities to sell medical information to third parties for
marketing purposes, the same third parties can pay a covered entity to send
marketing communications on their behalf, as long as they conform to one of the
exceptions above. For example, a Medicare + Choice or other managed
care organization could not sell your information directly to a health and
fitness club, but it could offer you a free or discount membership at a such a
club, in a communication the club pays for, without your authorization.

HITECH
attempts to narrow HIPAA's loopholes by calling any communication paid for by a third party marketing, even if it
would otherwise qualify as an exception. But then, HITECH seems to toss the
third-party payment restriction out the window by creating three new exceptions
for paid marketing communications (42 U.S.C. §17936):

messages that describe a
drug or biologic (a product made from biological rather than chemical
processes, such as a vaccine, gene therapy, or blood for a transfusion)
that you have previously been prescribed, so long as the amount of the
payment is "reasonable";

you have previously
authorized marketing communications; or

a business associate of the
covered entity makes the communication under its business associate
agreement.

You should carefully read and make sure
you understand any authorizations you are asked to sign. You should also exercise your rights under
California law to opt out of "specifically tailored" marketing
communications if you do not want to receive them. Make sure you know whether
you are giving your consent or your authorization.

Consent means that you have received, read,
and signed (or not) a notice about the uses and disclosures of your protected
health information for treatment, payment, and health care operations. An authorization is your signed and dated
permission to use and disclose your medical information. If you are providing an authorization, find
out whether it is limited in scope and duration or very generalized and
open-ended. Do you have the right to opt
out of the agreement if you change your mind?

Remember, too, that there are other ways
for marketers to obtain medical information pertaining to you, if not your
entire record. Unfortunately, these are generally beyond the reach of state and
federal privacy protections. Selling or
renting specialized consumer profiles is a big business, and includes lists
that categorize people by disease or diagnosis.
Since your health care providers are legally prohibited from selling or
giving personal health information to list brokers, you may well be the source
yourself.

There is no one convenient way to remain
anonymous and unprofiled short of giving up both credit cards and the Internet.
Therefore, it is best to be cautious about what information you give out and to
whom. If you read or ask about the
privacy policy of a website or business BEFORE you interact with it, you may
have a better idea of whether you want to proceed.

6. How is medical information used for
fundraising, and can you opt out?

California law is silent on the use of
medical information for fundraising by health care providers, which generally
means hospitals, so HIPAA applies. HIPAA considers fundraising to be a health
care operation. A covered entity may use
your demographic information and medical appointment dates—but not treatment
information—to fundraise without your authorization.

A covered entity may also share this information
with a business associate or a related foundation (for example, many hospitals
have related but separately incorporated nonprofit foundations that fundraise
on their behalf.) (45 CFR § 164.514(f))
A fundraising communication must allow you to opt out, but the
fundraiser has to use only "reasonable efforts" to honor your
request. You may not be denied health
care or insurance coverage if you choose to opt out of receiving fundraising
communications.

Since fundraising is often contracted to
third parties outside of the healthcare system—that is, to business associates—it
would help if the requirements that limit the types of data used for
fundraising were better enforced to prevent improper use of medical
information. In that way you might be reassured that you were not being
targeted by a fundraising campaign for a new oncology wing because the
fundraiser has information that you have been treated for cancer.

7. Could your medical information be better
protected than it is?

California laws and HIPAA help bring
greater transparency, privacy and security protection, and enforcement to the
complex flows of medical information that characterize the modern healthcare
industry. However, more is needed.

For example, while HIPAA requires business
associates to destroy or return "as nearly as feasible" all protected
health information they create or receive from covered entities when the
business associate agreement ends, this requirement is not audited for
compliance. And, although states have
different record-retention requirements and other laws concerning returning
data files or destroying data, there should be limits on the length of time
that contractors and business associates may retain medical information for any
purpose not directly related to treatment.

Health care providers typically assert
that they take patient privacy very seriously.
However, numbers tell a different story.
Since all data breaches involving 500 or more records started being
reported to the U.S. Department of Health and Human Services in February 2012,
almost 31,000
breaches have occurred[8], involving at least 8 million
individual records.

According to a Price
Waterhouse Coopers survey[10] of 600 hospital executives
released in September 2011, 66 percent of the total reported healthcare
breaches in the two years preceding the survey were due to the theft of
portable media (primarily of laptops, storage devices, backup drives, and
mobile devices), and 40 percent of providers surveyed reported an incident of improper
internal use of health information by employees with access to it.

A December
2011 survey by the Ponemon Institute[11] (requires
giving personal information to download) finds an increase in medical data
breaches since 2010, with a rise in errors by business associates and growing
use of unsecured mobile devices (such as laptops, tablets, and smartphones). This trend already has its own acronym—BYOD,
or bring your own device. Another privacy and security problem on the horizon
for medical information (along with every other kind of information) is cloud
storage, which presents issues of who controls the data and what they may do
with it, as well as how secure it is.

Clearly, those who control and maintain
healthcare records have a long way to go with such basic privacy and
security-enhancing practices as accounting for mobile devices, employee
education, facility security, real-time system auditing, and encryption, for a
start.

8. Resources

California
Information Practices Act: to learn more about the IPA and
how to request information, see the California Department of Social Services
pamphlet, “Rights of Individuals under the Information Practices Act,” at http://www.dss.cahwnet.gov/pdf/ipaattachment1.pdf[6].

California
Patient Access to Health Records Act: to learn
more about PAHRA and how to request information, including a complaint form if
you have problems with your request, see the Medical Board of California’s
website. www.mbc.ca.gov/consumer/access_records.html[12]

The Center
for Democracy and Technology provides extensive information about medical
privacy, with many practical tips on how to exercise your legal rights
concerning your medical information: http://cdt.org/issue/health-privacy[16].